Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cant even post a log or scan, help please![RESOLVED]


  • This topic is locked This topic is locked

#1
lukero

lukero

    Member

  • Member
  • PipPip
  • 23 posts
My computer is infected with much malware and viruses.
I attempted to run hijackthis, while saving the log file the program crashes and the log file is not saved.
Ad-Aware SE will not scan for no reason.
MS Anti-Spyware crashes at startup.
My Anti-Virus (Norman Anti-Virus) detects lots of viruses/trojans/loaders etc, but does not fix the problems.
I tried removing some malicious software in add/remove programs and it just freezes the Add/Remove wizard.
If I try to open up task manager, it tells me it is disabled.
I managed to get it up and running for 10 seconds and I saw many virus exes etc running.

If only I could post a log for you guys, I appreciate any help.

Edited by lukero, 07 June 2005 - 04:32 AM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download and run: http://www.silentrun...ent Runners.vbs

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

Let it run. It can take a few minutes. When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Regards,
  • 0

#3
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
My computer is only stable enough to run the files in safe mode, can I run it in that?
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Yes, it should work in safe mode.
  • 0

#5
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok, the problem I am having is with my 2nd computer. I sent the file to it through the LAN, double clicked to run the file on the other computer. HDD light is flashing alot but nothing has happened so far.
  • 0

#6
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ran it in safe mode, heres the log file :

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"SNInstall" = "C:\WINDOWS\system32\vxh8jkdq2.exe" [null data]
"Windows installer" = "C:\winstall.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Norman ZANDA" = "C:\Norman\bin\ZLH.EXE /LOAD /SPLASH" [null data]
"MPTBox" = "C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe" ["Canon Inc."]
"System" = "C:\WINDOWS\system32\kernels32.exe" [null data]
"d3zb.exe" = "C:\WINDOWS\system32\d3zb.exe" [null data]
"WindowsUpdate" = "C:\WINDOWS\System\svchost.exe /s" [null data]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [empty string]
{C0557ABE-4F97-5EAD-D823-C94B13E646DE}\(Default) = "Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\d3kt32.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{4B4604E0-8961-11D4-A0EC-009099164712}" = "My MultiPASS"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon\MultiPASS4\DTM4.DLL" ["Canon Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "Explorer.exe init32m.exe" [MS], [null data]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS]


Startup items in "Bruno" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

INFECTION WARNING! The running services cannot be counted.
Presence of a spyware service is suspected.
The script has been forced to exit.


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#7
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
My hijackthis showed alot more malicious things aswell. Couldnt save a log.
  • 0

#8
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
It only takes 20-30 seconds for the computer to become unresponsive so I hope any of the steps you might give me will work....I also cant print.
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
OK. I'm going to make a regfile so we can disable some malware.
Hopefully that will enable you to boot normally and run some scanners.

Copy the part in bold below into notepad and save it as bequiet.reg
Set filetype to "All files"

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SNInstall"=-
"Windows installer"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System"=-
"d3zb.exe"=-
"WindowsUpdate"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0557ABE-4F97-5EAD-D823-C94B13E646DE}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}]

[-HKEY_CLASSES_ROOT\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}]

[-HKEY_CLASSES_ROOT\CLSID\{C0557ABE-4F97-5EAD-D823-C94B13E646DE}]


Doubleclick that file and confirm you want to merge it with the registry.

Still in safe mode delete:
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\d3zb.exe
C:\WINDOWS\System\svchost.exe <= IMPORTANT NOTE the real svchost.exe is in the system32 folder. Leave that one alone

Let me know if you can boot normally after doing this.

Regards,
  • 0

#10
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
"C:\WINDOWS\system32\kernels32.exe"

Tells me it is in use.

"C:\WINDOWS\system32\d3zb.exe"

Deleted without error.

"C:\WINDOWS\System\svchost.exe"

Tells me in use.

I haven't tried booting normally again, I also have these virus/malicious files that I cannot delete :

vxgame3.exe
vxgame4.exe
vxgamet2.exe
vxh8jkdq2.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe

And some files I think are malicious :

abc.exe
latest.exe
~update.exe
dskike.exe
auto_update_uninstall.exe

lots more that look malicious..
And a couple that look generated by the viruses under C:/
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxh8jkdq5.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\auto_update_uninstall.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\System\svchost.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not reboot by itself, do it manually.
I only listed the files I was sure about, we will let the scanners deal with the rest later.

Regards,
  • 0

#12
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Done, haven't got any virus warnings yet.
The comp is very unresponsive and I still cant access task manager.

Edit :
Cant log off or goto the start menu or anything, av was disabled when starting up. Ouch...

Edited by lukero, 07 June 2005 - 06:14 AM.

  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
But can you run HijackThis and post a log?

If so, don't hesitate. :tazz:

Regards,
  • 0

#14
lukero

lukero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Finally did one in safe mode :

Logfile of HijackThis v1.99.1
Scan saved at 10:19:06 PM, on 7/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Bruno\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Class - {C882941C-7458-318F-A68D-455DED9D6FBE} - C:\WINDOWS\syskl.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [oF3W3tQ] dskike.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ah96iio7] C:\WINDOWS\system32\ah96iio7.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [syskl.exe] C:\WINDOWS\syskl.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - HKCU\..\Run: [Zos6Rjc2X] ds3sys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: System - {8FB956BD-32B8-4C09-B7AD-FF27B9FA8C2F} - vr_sys.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipqg.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

The virus's are countless.
Looks like it added alot of bad and ad sites to my trusted sites/ips !
If I wasnt in safe im sure it would show lots more bad processes.

Edited by lukero, 07 June 2005 - 06:22 AM.

  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Class - {C882941C-7458-318F-A68D-455DED9D6FBE} - C:\WINDOWS\syskl.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [oF3W3tQ] dskike.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ah96iio7] C:\WINDOWS\system32\ah96iio7.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [syskl.exe] C:\WINDOWS\syskl.exe

O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - HKCU\..\Run: [Zos6Rjc2X] ds3sys.exe

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: System - {8FB956BD-32B8-4C09-B7AD-FF27B9FA8C2F} - vr_sys.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipqg.exe

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Click Start > Run type services.msc > OK
In the list of services find:
WebSeach Toolbar support NT service (TBPSSvc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: TBPSSvc

In the list of services find:
WinTools for IE service (WinToolsSvc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: WinToolsSvc

Then in safe mode delete (if present):
C:\Program Files\Common Files\WinTools <= entire folder
C:\Program Files\Toolbar <= entire folder
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\syskl.exe
C:\Program Files\BullsEye Network <= entire folder
C:\Program Files\Internet Optimizer <= entire folder
C:\Program Files\CxtPls <= entire folder
C:\WINDOWS\System32\msxct.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\ah96iio7.exe

Let me know if you can run Norman or MSAS when you are done.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP